Mozilla Patches Firefox 26 With 14 Security Advisories

The new open-source browser release gets five critical security updates and finally delivers click-to-play functionality for some plug-ins, with more to come in the weeks ahead.

Mozilla is out today with its latest milestone Firefox release, this time providing security fixes as well as new functionality in the open-source Web browser.

The Firefox 26 release first entered beta in early November. From a security feature perspective, the big change that Firefox 26 introduces is the concept of "click-to-play" plug-ins. Prior to Firefox 26, plug-ins such as Java would just load inside the browser whenever required by a given Website, and without the need for any specific user interaction.

With Firefox 26, Mozilla has now restricted the ability of Java plug-ins to auto-load and automatically run. Other competitive Web browsers, including Apple's Safari 7, already enable the same type of functionality. One of the primary differences between Firefox 26's click-to-play implementation and Safari 7's is that Firefox currently does not block Flash media content with click-to-play. The risk from automatically enabled plug-ins is that a user could potentially be directed to a malicious Website where a plug-in is used to automatically deliver some form of malware payload.

The plan is to expand the click-to-play effort in future releases of Firefox.

"The latest release of Firefox will continue to enable all plug-ins—except Java—by default while the click-to-play feature goes through additional testing in beta," Chad Weiner, product manager for Firefox, told eWEEK. "In the coming weeks, we will announce details of a plug-in whitelist policy that will provide a path to exempting certain plug-ins and Websites from our click-to-play policy."

From a security patch perspective, Mozilla has attached 14 security advisories to the Firefox 26 release, with five marked as critical. Three of the critical advisories deal with use-after-free memory errors. Use-after-free memory vulnerabilities occur when unused authorized memory remains accessible to other programs, enabling attackers to potentially execute arbitrary code.

Two of the three use-after-free memory vulnerabilities were reported to Mozilla by security researchers working with the BlackBerry Security Automated Analysis Team. Mozilla first began partnering with BlackBerry for security in July. The BlackBerry research team used Address Sanitizer—a widely used open-source tool for discovering memory flaws that was originally built by Google—to find the flaws.

Mozilla also credited the BlackBerry security researchers with discovering another critical flaw by using the Address Sanitizer tool.

"Security researchers Tyson Smith and Jesse Schwartzentruber of the BlackBerry Security Automated Analysis Team used the Address Sanitizer tool while fuzzing to discover a mechanism where inserting an ordered list into a document through script could lead to a potentially exploitable crash that can be triggered by web content," Mozilla's advisory explains.

Firefox 26 also includes an update rated as having high impact for a JPG image file information leak vulnerability. Mozilla Security Advisory 2013-16 credits Google security researcher Michal Zalewski with the discovery of the flaw. According to Mozilla, the flaw "could allow for the possible reading of arbitrary memory content as well as cross-domain image theft."

In addition, Mozilla credited Google with reporting a Secure Sockets Layer (SSL) certificate-related flaw. The issue, which Google reported to Mozilla on Dec. 4, involves an SSL certificate that had been erroneously issued that should no longer be trusted.

"This certificate was issued by Agence nationale de la sécurité des systèmes d'information (ANSSI), an agency of the French government and a certificate authority in Mozilla's root program," Mozilla's advisory states. "A subordinate certificate authority of ANSSI mis-issued an intermediate certificate that they installed on a network monitoring device, which enabled the device to act as a MITM proxy performing traffic management of domain names or IP addresses that the certificate holder did not own or control."

Firefox 26 isn't just about security; it also improves performance by way of at least one interesting bug fix. Mozilla bug #847223, titled "Don't decode images that aren't visible when we download them," is a bug that Gavin Sharp, lead Firefox engineer at Mozilla, sees as a great example of the benefits of Mozilla's continuous investment in memory-use improvements (project code name: MemShrink).

"Firefox is best-in-class on memory use, thanks to fixes like that one," Sharp told eWEEK. "It results in a big reduction of peak memory usage on image-heavy pages like Flickr or other image galleries, and reducing memory use has all sorts of positive additional effects like increased stability, responsiveness and performance."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.